Privacy Policy
How Kuration AI handles personal data across the platform, websites, Chrome extension, and Managed Services. Consistent with our Terms, DPA, DLA, Sub-processor list, AUP, and Data Subject Notice.
Last updated 17 April 2026
Effective date: 17 April 2026 Last updated: 17 April 2026
Kuration AI Limited ("Kuration," "we," "us," or "our") respects your privacy. This Privacy Policy explains how we handle personal data when you visit our websites, use the Kuration platform or API, interact with the Chrome extension, engage us for Managed Services, or otherwise deal with us.
We are a B2B data company. We build custom databases of business professionals and companies, primarily from public and offline sources, and licence them to other businesses. We are not a consumer service.
This Privacy Policy covers three groups of people:
- Customers and users of the Services — people who sign up, log in, buy, or contract with us.
- Visitors to our websites at `kurationai.com`, `kuration.ai`, and `kuration.io`.
- Business professionals whose information appears in the Kuration database. If that's you, please read the separate Data Subject Notice, which is written specifically for you and explains what we hold about you, why, and how to exercise your rights.
For a full list of the parties we share data with, see our Sub-processors list. For how we process Personal Data on behalf of business customers (as a processor), see our Data Processing Agreement. For what customers may and may not do with the data we license to them, see our Terms of Service, Data License Agreement, and Acceptable Use Policy.
1. Who we are (the controller)
Kuration AI Limited Company Registration No. 76420894, Hong Kong Registered office: Unit 2A, 17/F., Glenealy Tower, No. 1 Glenealy, Central, Hong Kong Phone: +852 5596 8334 Website: https://kurationai.com
Our data protection contact is privacy@kuration.ai. Where required by law, we will appoint or name a Data Protection Officer; write to dpo@kuration.ai.
We act as controller for the personal data described in this Privacy Policy, except where we process customer-submitted data on behalf of a business customer under a data processing agreement — see §8 (Our roles under data protection law).
2. What we collect
2.1 From customers and users
- Account data. Name, work email, work phone (optional), company, job title, role, password hash, and preferences.
- Billing data. Billing name, billing address, tax identifiers, payment method metadata. We do not store full card numbers — payments are handled by our payment processor (Stripe).
- Usage data. Logs of how you use the Services (pages viewed, queries run, API calls made, feature interactions), together with device, browser, operating system, approximate location (from IP), and timestamps. We use this to operate, secure, and improve the Services.
- Customer Content. Data you submit to the Services, such as lists you upload for enrichment, prompts you run against AlexAI, or files you attach to a Managed Services engagement. We act as your processor for Customer Content that is personal data — see §8.
- Support and communications. Messages you send us, tickets you file, call notes, and feedback.
2.2 From visitors to our websites
- Device and connection data. IP address, browser type and version, device type, operating system, referring URL, pages viewed, and the time and duration of each visit.
- Cookies and similar technologies. See §10 (Cookies) for the specific cookies and analytics tools we use.
- Form submissions. If you fill in a contact form, request a demo, submit a newsletter sign-up, or submit the Data Removal Request form, we collect the fields you provide.
2.3 From public and purchased sources (the Kuration database)
For business professionals whose information may appear in the Kuration database, see the dedicated Data Subject Notice. The short version: we compile B2B professional data from lawful, publicly available, or purchased sources, under a documented Legitimate Interests Assessment.
2.4 What we do not collect
We do not knowingly collect:
- Sensitive categories of personal data (health, religion, political opinions, sexual orientation, precise geolocation, biometric data, or data of children under 18);
- Payment card numbers (handled by Stripe);
- Personal communications of consumers in their non-business capacity.
If we receive such data inadvertently — for example, in a Customer Content upload — we will delete it or handle it under appropriate safeguards on request.
3. How we use personal data
We use personal data to:
- Provide the Services. Create and manage your Account, authenticate you, deliver features and support, respond to your queries, and process transactions.
- Operate and secure the Services. Monitor performance, prevent abuse and fraud, debug errors, and maintain availability and integrity.
- Improve the Services. Analyse aggregated usage data to understand what works, prioritise features, and de-bug. We do not train third-party AI models on Customer Content except where expressly permitted in an Order Form.
- Bill and account. Charge fees, issue invoices, recover debts, and maintain financial records.
- Communicate with you. Send transactional messages (service notices, security alerts, policy updates). Send marketing communications only where you have opted in, and always with an unsubscribe option.
- Comply with the law. Respond to legal requests, meet statutory obligations, and enforce our agreements.
- Compile the Kuration database. Collect and maintain professional contact data from public and purchased sources for B2B data intelligence services — see the Data Subject Notice.
4. Legal bases (EEA, UK, and equivalent jurisdictions)
For data subjects in the European Economic Area, the United Kingdom, or jurisdictions with an equivalent framework, we rely on the following legal bases:
| Purpose | Legal basis (GDPR / UK GDPR) |
|---|---|
| Create and operate customer Accounts | Performance of a contract (Art. 6(1)(b)) |
| Bill for the Services | Performance of a contract; legal obligation |
| Provide customer support | Performance of a contract; legitimate interests |
| Send transactional service messages | Legitimate interests; performance of a contract |
| Send marketing emails to customers about new features | Legitimate interests (soft opt-in where applicable) or consent |
| Send marketing to prospects | Consent |
| Maintain security and prevent abuse | Legitimate interests |
| Comply with law, respond to legal requests | Legal obligation |
| Compile and maintain the Kuration B2B database | Legitimate interests (supported by a documented LIA) |
You have the right to object to processing we conduct on the basis of legitimate interests — see §9 (Your rights).
In other jurisdictions we rely on the equivalent local basis (for example, under the Hong Kong PDPO, collection for a purpose directly related to our B2B data function; under CCPA/CPRA, a covered business-to-business purpose).
5. Who we share personal data with
We share personal data with:
- Our sub-processors. Cloud hosts, authentication, email delivery, payment, and AI providers that help us operate the Services. The current list is published at https://kurationai.com/sub-processors.
- Our customers. For the Kuration database, our customers receive professional data for their B2B purposes, subject to the restrictions in our Terms of Service, Data License Agreement, and Acceptable Use Policy. We do not share our customers' Account data with other customers.
- Professional advisers. Lawyers, accountants, auditors, and insurers, under confidentiality obligations.
- Prospective buyers. In the event of a merger, acquisition, reorganisation, or sale of assets, to the prospective counterparty under appropriate confidentiality obligations.
- Authorities. Where required by law, court order, or lawful request.
We do not sell personal data to advertisers or data brokers outside of our core B2B licensing model, and we do not use your Account data to train AI models that compete with the Services.
6. International transfers
Kuration is established in Hong Kong. Our infrastructure, sub-processors, and AI providers are located in the European Union, the United Kingdom, the United States, and other jurisdictions.
Where transfers cross borders into jurisdictions that are not the subject of an adequacy decision, we implement appropriate safeguards:
- EU / EEA → Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), with supplementary measures as appropriate.
- UK → the UK ICO's International Data Transfer Addendum (IDTA v B1.0) to the EU SCCs.
- Other jurisdictions → the safeguards required by local law (for example, UAE PDPL cross-border transfer rules, KSA PDPL Art. 29, Singapore PDPA Transfer Limitation Obligation).
See our Data Processing Agreement, Annexes I and III, for the specific transfer mechanisms and locations.
7. How long we keep personal data
We keep personal data for as long as necessary for the purposes described above, subject to the following:
- Account data. For the life of the Account and for a limited period afterwards to meet legal, tax, and accounting obligations (typically 7 years in Hong Kong).
- Billing data. Retained for the period required by tax law (typically 7 years).
- Support communications. Retained for up to 3 years after closure of the matter.
- Customer Content. Retained for the duration of the Principal Agreement and for 30 days after termination, unless a longer retention is required by law. See the DPA §9 for the controller-to-processor retention terms.
- Kuration database records. Retained for as long as the record remains useful and verifiable. When a record becomes stale or a data subject requests deletion, we remove the record and add the identifier to a suppression list to prevent re-ingestion.
- Website analytics and logs. Typically retained for up to 13 months.
Specific retention periods in an Order Form or DPA override these defaults for the engagement in question.
8. Our roles under data protection law
Depending on the data in question, we act as:
- Controller — for Customer Account data, billing data, usage logs, support communications, marketing contacts, website analytics, and the Kuration database.
- Processor — for Customer Content that a customer submits to the Services for processing (for example, a list uploaded for enrichment). Our processing in this role is governed by the Data Processing Agreement.
- Independent controller — for Kuration database records that we licence to a customer. The customer becomes an independent controller on receipt and is responsible for its own compliance with data protection law.
This tri-modal framing is reflected in Section 10 of our Terms of Service and in Section 2 of our DPA.
9. Your rights
Depending on where you live, you have some or all of the following rights:
- Access — get a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate or outdated information.
- Erasure ("right to be forgotten") — ask us to delete your personal data, subject to limited exceptions (for example, where retention is required by law).
- Restriction — limit how we use your data while a dispute is being resolved.
- Objection — object to processing we conduct on the basis of legitimate interests.
- Portability — receive your data in a portable format, where applicable.
- Withdraw consent — for processing based on consent, withdraw at any time.
- Non-discrimination — not be retaliated against for exercising your rights.
- Complaint — complain to the supervisory authority in your jurisdiction.
We do not use personal data to make automated decisions that produce legal or similarly significant effects within the meaning of GDPR Article 22. Our customers are contractually prohibited from doing so either (see the Acceptable Use Policy §1).
How to exercise your rights
- Data subjects (individuals in the Kuration database): use the Data Removal Request form, or email privacy@kuration.ai. See the Data Subject Notice for the full procedure.
- Customers and users: email privacy@kuration.ai from the email address on your Account, or use the in-product controls where available.
We respond within the timeframe required by applicable law (30 days under GDPR, with a possible two-month extension for complex requests; 45 days under CCPA with one 45-day extension). We may ask you to verify your identity before acting on a request.
Regional specifics
- European Economic Area / United Kingdom. You may complain to your national data protection authority (EEA) or to the UK Information Commissioner's Office at ico.org.uk.
- Hong Kong. You may complain to the Office of the Privacy Commissioner for Personal Data (PCPD) at pcpd.org.hk.
- United Arab Emirates. You may complain to the UAE Data Office.
- Kingdom of Saudi Arabia. You may complain to the Saudi Data & AI Authority (SDAIA).
- Singapore. You may complain to the Personal Data Protection Commission (PDPC).
- California. You may complain to the California Privacy Protection Agency (CPPA) at cppa.ca.gov. California-specific rights (including "do not sell or share my personal information," the right to limit use of sensitive personal information, and the right to non-discrimination for exercising rights) are supported through the channels above. We do not knowingly sell or share personal information for cross-context behavioural advertising.
10. Cookies and similar technologies
Our websites use cookies and similar technologies to operate, secure, measure, and improve the site. A dedicated Cookie Policy (where published) provides the detailed list and purposes. In summary, we use:
- Strictly necessary cookies — authenticate you, maintain session state, secure the site.
- Functional cookies — remember preferences such as theme or locale.
- Analytics — understand aggregate traffic and feature usage. We use privacy-respecting providers and where required by law, we obtain consent before setting non-essential cookies.
You can usually manage or delete cookies in your browser settings. Blocking strictly necessary cookies may break parts of the site.
11. Security
We take security seriously and implement administrative, technical, and physical safeguards appropriate to the risks presented by our processing. These include encryption in transit (TLS 1.2+) and at rest (AES-256), role-based access control, multi-factor authentication for internal access, segmented environments, monitoring and alerting, regular backups with point-in-time recovery, confidentiality obligations for staff, and a documented incident response process.
Report a suspected security issue to security@kuration.ai. See our Security page for more detail.
12. Children
The Services are intended for business use and are not directed to children. We do not knowingly collect data from anyone under 18. If you believe we have collected data from a minor, contact privacy@kuration.ai and we will delete it.
13. Changes to this Privacy Policy
We update this Privacy Policy from time to time. The "Last updated" date at the top reflects the current version. Material changes are communicated through the Services or by email to the primary contact on an Account. For the Kuration database and data subjects, material changes are posted to this page and to the Data Subject Notice.
14. Contact
- Privacy and data protection: privacy@kuration.ai
- Data Protection Officer (where appointed): dpo@kuration.ai
- Security: security@kuration.ai
- Abuse and misuse: abuse@kuration.ai
- Legal: legal@kuration.ai
- General / support: admin@kuration.ai · support@kuration.ai
- Kuration AI Limited, Unit 2A, 17/F., Glenealy Tower, No. 1 Glenealy, Central, Hong Kong
- Phone: +852 5596 8334